Vulnerability Description
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vm2 Project | Vm2 | >= 3.9.6, < 3.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwqExploitVendor Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwqExploitVendor Advisory
FAQ
What is CVE-2026-44005?
CVE-2026-44005 is a vulnerability with a CVSS score of 10.0 (CRITICAL). vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying h...
How severe is CVE-2026-44005?
CVE-2026-44005 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-44005?
Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.